@microsoft/ccf-app 1.0.10 → 2.0.0-dev4

package/crypto.d.ts

@@ -10,6 +10,10 @@ export declare const generateRsaKeyPair: (size: number, exponent?: number | unde
  * @inheritDoc CCF.wrapKey
  */
 export declare const wrapKey: (key: ArrayBuffer, wrappingKey: ArrayBuffer, wrapAlgo: import("./global.js").WrapAlgoParams) => ArrayBuffer;
+/**
+ * @inheritDoc CCF.crypto.verifySignature
+ */
+export declare const verifySignature: (algorithm: import("./global.js").SigningAlgorithm, key: string, signature: ArrayBuffer, data: ArrayBuffer) => boolean;
 /**
  * @inheritDoc CCF.digest
  */
@@ -18,4 +22,8 @@ export declare const digest: (algorithm: "SHA-256", data: ArrayBuffer) => ArrayB
  * @inheritDoc CCF.isValidX509CertBundle
  */
 export declare const isValidX509CertBundle: (pem: string) => boolean;
-export { WrapAlgoParams, AesKwpParams, RsaOaepParams, RsaOaepAesKwpParams, CryptoKeyPair, DigestAlgorithm, } from "./global";
+/**
+ * @inheritDoc CCF.isValidX509CertChain
+ */
+export declare const isValidX509CertChain: (chain: string, trusted: string) => boolean;
+export { WrapAlgoParams, AesKwpParams, RsaOaepParams, RsaOaepAesKwpParams, CryptoKeyPair, DigestAlgorithm, SigningAlgorithm, RsaPkcsParams, EcdsaParams, } from "./global";

package/crypto.js

@@ -26,6 +26,10 @@ export const generateRsaKeyPair = ccf.generateRsaKeyPair;
  * @inheritDoc CCF.wrapKey
  */
 export const wrapKey = ccf.wrapKey;
+/**
+ * @inheritDoc CCF.crypto.verifySignature
+ */
+export const verifySignature = ccf.crypto.verifySignature;
 /**
  * @inheritDoc CCF.digest
  */
@@ -34,3 +38,7 @@ export const digest = ccf.digest;
  * @inheritDoc CCF.isValidX509CertBundle
  */
 export const isValidX509CertBundle = ccf.isValidX509CertBundle;
+/**
+ * @inheritDoc CCF.isValidX509CertChain
+ */
+export const isValidX509CertChain = ccf.isValidX509CertChain;

package/global.d.ts

@@ -27,7 +27,9 @@ export interface KvMap {
     get(key: ArrayBuffer): ArrayBuffer | undefined;
     set(key: ArrayBuffer, value: ArrayBuffer): KvMap;
     delete(key: ArrayBuffer): boolean;
+    clear(): void;
     forEach(callback: (value: ArrayBuffer, key: ArrayBuffer, kvmap: KvMap) => void): void;
+    size: number;
 }
 /**
  * @inheritDoc CCF.kv
@@ -140,6 +142,26 @@ export interface CryptoKeyPair {
      */
     publicKey: string;
 }
+/**
+ * RSASSA-PKCS1-v1_5 signature algorithm parameters.
+ */
+export interface RsaPkcsParams {
+    name: "RSASSA-PKCS1-v1_5";
+    hash: DigestAlgorithm;
+}
+/**
+ * ECDSA signature algorithm parameters.
+ *
+ * Note: ECDSA signatures are assumed to be encoded according
+ * to the Web Crypto API specification, which is the same
+ * format used in JSON Web Tokens and more generally known
+ * as IEEE P1363 encoding.
+ */
+export interface EcdsaParams {
+    name: "ECDSA";
+    hash: DigestAlgorithm;
+}
+export declare type SigningAlgorithm = RsaPkcsParams | EcdsaParams;
 export declare type DigestAlgorithm = "SHA-256";
 export interface CCF {
     /**
@@ -194,6 +216,24 @@ export interface CCF {
      * Validation is only syntactical, properties like validity dates are not evaluated.
      */
     isValidX509CertBundle(pem: string): boolean;
+    /**
+     * Returns whether a certificate chain is valid given a set of trusted certificates.
+     * The chain and trusted certificates are PEM-encoded bundles of X.509 certificates.
+     */
+    isValidX509CertChain(chain: string, trusted: string): boolean;
+    crypto: {
+        /**
+         * Returns whether digital signature is valid.
+         *
+         * @param algorithm Signing algorithm and parameters
+         * @param key A PEM-encoded public key or X.509 certificate
+         * @param signature Signature to verify
+         * @param data Data that was signed
+         * @throws Will throw an error if the key is not compatible with the
+         *  signing algorithm or if an unknown algorithm is used.
+         */
+        verifySignature(algorithm: SigningAlgorithm, key: string, signature: ArrayBuffer, data: ArrayBuffer): boolean;
+    };
     rpc: {
         /**
          * Set whether KV writes should be applied even if the response status is not 2xx.
@@ -212,3 +252,26 @@ export interface CCF {
      */
     historicalState?: HistoricalState;
 }
+export declare const openenclave: OpenEnclave;
+export interface EvidenceClaims {
+    claims: {
+        [name: string]: ArrayBuffer;
+    };
+    customClaims: {
+        [name: string]: ArrayBuffer;
+    };
+}
+export interface OpenEnclave {
+    /**
+     * Verifies Open Enclave evidence and returns the claims of the evidence.
+     *
+     * @param format The optional format id of the evidence to be verified as
+     *  a UUID of the form "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".
+     *  If this parameter is `undefined`, the evidence and endorsement
+     *  must either contain data with an attestation header holding a valid
+     *  format id, or be an Open Enclave report generated by the legacy API function
+     *  `oe_get_report()`. Otherwise, this parameter must be a valid format id, and
+     *  the evidence and endorsements data must not be wrapped with an attestation header.
+     */
+    verifyOpenEnclaveEvidence(format: string | undefined, evidence: ArrayBuffer, endorsements?: ArrayBuffer): EvidenceClaims;
+}

package/global.js

@@ -20,3 +20,4 @@
 // in a .d.ts definition file.
 // This avoids polluting the global namespace.
 export const ccf = globalThis.ccf;
+export const openenclave = globalThis.openenclave;

package/kv.d.ts

@@ -33,7 +33,9 @@ export declare class TypedKvMap<K, V> {
     get(key: K): V | undefined;
     set(key: K, value: V): TypedKvMap<K, V>;
     delete(key: K): boolean;
+    clear(): void;
     forEach(callback: (value: V, key: K, table: TypedKvMap<K, V>) => void): void;
+    get size(): number;
 }
 /**
  * Returns a typed view of a map in the Key-Value Store,

package/kv.js

@@ -45,6 +45,9 @@ export class TypedKvMap {
     delete(key) {
         return this.kv.delete(this.kt.encode(key));
     }
+    clear() {
+        this.kv.clear();
+    }
     forEach(callback) {
         let kt = this.kt;
         let vt = this.vt;
@@ -53,6 +56,9 @@ export class TypedKvMap {
             callback(vt.decode(raw_v), kt.decode(raw_k), typedMap);
         });
     }
+    get size() {
+        return this.kv.size;
+    }
 }
 /**
  * Returns a typed view of a map in the Key-Value Store,

package/openenclave.d.ts

@@ -0,0 +1,5 @@
+/**
+ * @inheritDoc OpenEnclave.verifyOpenEnclaveEvidence
+ */
+export declare const verifyOpenEnclaveEvidence: (format: string | undefined, evidence: ArrayBuffer, endorsements?: ArrayBuffer | undefined) => import("./global").EvidenceClaims;
+export { EvidenceClaims } from "./global";

package/openenclave.js

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the Apache 2.0 License.
+/**
+ * The `openenclave` module provides access to Open Enclave functionality.
+ *
+ * @module
+ */
+import { openenclave } from "./global";
+/**
+ * @inheritDoc OpenEnclave.verifyOpenEnclaveEvidence
+ */
+export const verifyOpenEnclaveEvidence = openenclave.verifyOpenEnclaveEvidence;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@microsoft/ccf-app",
-  "version": "1.0.10",
+  "version": "2.0.0-dev4",
   "description": "CCF app support package",
   "main": "index.js",
   "files": [

package/polyfill.js

@@ -36,11 +36,17 @@ class KvMapPolyfill {
     delete(key) {
         return this.map.delete(base64(key));
     }
+    clear() {
+        this.map.clear();
+    }
     forEach(callback) {
         this.map.forEach((value, key, _) => {
             callback(value, unbase64(key), this);
         });
     }
+    get size() {
+        return this.map.size;
+    }
 }
 class CCFPolyfill {
     constructor() {
@@ -59,6 +65,36 @@ class CCFPolyfill {
                 throw new Error("Not implemented");
             },
         };
+        this.crypto = {
+            verifySignature(algorithm, key, signature, data) {
+                let padding = undefined;
+                const pubKey = crypto.createPublicKey(key);
+                if (pubKey.asymmetricKeyType == "rsa") {
+                    if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+                        padding = crypto.constants.RSA_PKCS1_PADDING;
+                    }
+                    else {
+                        throw new Error("incompatible signing algorithm for given key type");
+                    }
+                }
+                else if (pubKey.asymmetricKeyType == "ec") {
+                    if (algorithm.name !== "ECDSA") {
+                        throw new Error("incompatible signing algorithm for given key type");
+                    }
+                }
+                else {
+                    throw new Error("unrecognized signing algorithm");
+                }
+                const hashAlg = algorithm.hash.replace("-", "").toLowerCase();
+                const verifier = crypto.createVerify(hashAlg);
+                verifier.update(new Uint8Array(data));
+                return verifier.verify({
+                    key: pubKey,
+                    dsaEncoding: "ieee-p1363",
+                    padding: padding,
+                }, new Uint8Array(signature));
+            },
+        };
     }
     strToBuf(s) {
         return typedArrToArrBuf(new TextEncoder().encode(s));
@@ -153,8 +189,56 @@ class CCFPolyfill {
             throw new Error("X509 validation unsupported, Node.js version too old (< 15.6.0)");
         }
     }
+    isValidX509CertChain(chain, trusted) {
+        if (!("X509Certificate" in crypto)) {
+            throw new Error("X509 validation unsupported, Node.js version too old (< 15.6.0)");
+        }
+        try {
+            const toX509Array = (pem) => {
+                const sep = "-----END CERTIFICATE-----";
+                const items = pem.split(sep);
+                if (items.length === 1) {
+                    return [];
+                }
+                const pems = items.slice(0, -1).map((p) => p + sep);
+                const arr = pems.map((pem) => new crypto.X509Certificate(pem));
+                return arr;
+            };
+            const certsChain = toX509Array(chain);
+            const certsTrusted = toX509Array(trusted);
+            if (certsChain.length === 0) {
+                throw new Error("chain cannot be empty");
+            }
+            for (let i = 0; i < certsChain.length - 1; i++) {
+                if (!certsChain[i].checkIssued(certsChain[i + 1])) {
+                    throw new Error(`chain[${i}] is not issued by chain[${i + 1}]`);
+                }
+            }
+            for (const certChain of certsChain) {
+                for (const certTrusted of certsTrusted) {
+                    if (certChain.fingerprint === certTrusted.fingerprint) {
+                        return true;
+                    }
+                    if (certChain.verify(certTrusted.publicKey)) {
+                        return true;
+                    }
+                }
+            }
+            throw new Error("none of the chain certificates are identical to or issued by a trusted certificate");
+        }
+        catch (e) {
+            console.error(`certificate chain validation failed: ${e.message}`);
+            return false;
+        }
+    }
 }
 globalThis.ccf = new CCFPolyfill();
+class OpenEnclavePolyfill {
+    verifyOpenEnclaveEvidence(format, evidence, endorsements) {
+        throw new Error("Method not implemented.");
+    }
+}
+globalThis.openenclave = new OpenEnclavePolyfill();
 function nodeBufToArrBuf(buf) {
     // Note: buf.buffer is not safe, see docs.
     const arrBuf = new ArrayBuffer(buf.byteLength);